This is the mail archive of the
cygwin@cygwin.com
mailing list for the Cygwin project.
Re: Passwordless login with ssh
Corinna Vinschen wrote:
On Wed, Oct 15, 2003 at 04:51:58PM -0700, Andrew DeFaria wrote:
Sorry, I searched the list and did not get a definitive answer. What
I'm trying to do is to secure things up a little bit around here. I
would like to use ssh. But I also want to allow valid users to ssh
<remove> <command> without being prompted for a password. I'm not
sure this is doable.
Reading from openssh-3.7.1p2-1.README I see
Authentication to sshd is possible in one of two ways. You'll have to
decide before starting sshd!
- If you want to authenticate via RSA and you want to login to that
machine to exactly one user account you can do so by running sshd
under that user account. You must change /etc/sshd_config to contain
the following:
RSAAuthentication yes
Moreover it's possible to use rhosts and/or rhosts with RSA
authentication by setting the following in sshd_config:
RhostsAuthentication yes
RhostsRSAAuthentication yes
Seems to me that the above says I can only use RSA Authentication IFF
I'm only want to allow one username to be able to login. Or
You missed the part under "Important change since 2.9p2":
"Since Cygwin is able to switch user context without password
beginning with version 1.3.2, OpenSSH now allows to do so when it's
running under a version >= 1.3.2. Keep in mind that `ntsec' has to be
activated to allow that feature."
No I saw that part too however it just seemed more confusing to me.
This is a bit too brief, I admit. Actually, the account who may switch
user context without password needs "create a token object" privilege.
This is by default only the SYSTEM user. So, running sshd under SYSTEM
account gives you what you want.
I currently have sshd running correctly as a service. I can log in as
any user however right now I need to specify my password:
$ ssh starbase id
Andrew@starbase's password:
uid=1003(Andrew) gid=513(DeFaria)
groups=513(DeFaria),544(Administrators),545(Users)
Now from what I see I need to run ssh-user-config to generate the
neccessary keys for passwordless login:
$ ssh-user-config
/home/Andrew DeFaria
/home/Andrew DeFaria is set in /etc/passwd as your home directory
but it is not a valid directory. Cannot create user identity files.
Ugh! Seems ssh-user-config doesn't support directories with spaces in
them! (Would it be hard/impossible to support this?) Let me demonstrate
my problem at work where I have a home directory without a space.
$ ssh adefaria id
adefaria@adefaria's password:
uid=1370(adefaria) gid=513(Domain Users)
groups=1834(clearcase),512(Domain Admins),513(Domain
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)
Same situation. I can use ssh for any user but I must enter a password.
Now for ssh-user-config:
$ ssh-user-config
Shall I create an SSH1 RSA identity file for you? (yes/no) yes
Generating /us/adefaria/.ssh/identity
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys
Shall I create an SSH2 RSA identity file for you? (yes/no) (yes/no) yes
Generating /us/adefaria/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys
Shall I create an SSH2 DSA identity file for you? (yes/no) (yes/no) yes
Generating /us/adefaria/.ssh/id_dsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Do you want to use this identity to login to this machine? (yes/no) yes
Adding to /us/adefaria/.ssh/authorized_keys
Configuration finished. Have fun!
$ ssh adefaria id
adefaria@adefaria's password:
uid=1370(adefaria) gid=513(Domain Users)
groups=1834(clearcase),512(Domain Admins),513(Domain
Users),2637(Employees-US-Security),1170(Everybody),1331(Software),1866(Software-US-Security)
As you can see ssh-user-config did not change the need to enter my
password for ssh.
Except on 2003 Server. There you'll have to create a new account (say
"sshd_srv", *not* "sshd") which is part of the admins group and has
the appropriate extra privileges
"Create a token object"
"Replace process level token"
"Increase quotas"
"Logon as a service"
The system account does of course own that user rights by default.
Unfortunately, if you choose that way, you can only logon with NT
password authentification and you should change /etc/sshd_config to
contain the following:
Yeah, should be rewritten.
RhostsAuthentication no
Ugh. Rhosts authentication is dropped entirerly since 3.7p1.
Corinna
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/